LastPass Patches Two Security Vulnerabilities in Bookmarklets and One-Time Passwords

LastPass, the popular password manager among top browsers on the web has patched a pair of security vulnerabilities that could allow attackers to target users and generate one-time passwords to access customer accounts.

LastPass has assured users the security team has not seen any active exploits against the recently disclosed vulnerabilities and feel no action needs to be taken such as generating new one-time passwords or changing users master account passwords. Lastpass notes to craft such attack is not difficult, but company officials state that one of the vulnerabilities only affects their bookmarklet product, which less than one percent of customers currently use.

“In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs). Zhiwei discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP,” LastPass officials said in a blog post about recently patched vulnerabilities.

Bookmarklets are pieces of JavaScript code that enable users password managers to log into their accounts without having to install any additional browser extensions. Bookmarklets, which are stored as bookmarks and executed in context of web applications, are useful for browsers that don’t support extensions, prominently mobile browsers.

The first vulnerability that lies within bookmarklets could allow an attacker to extract the passwords stored by a user in the LastPass vault by tricking victims into clicking the bookmarklet while visiting a specially crafted webpage.

The second disclosed vulnerability lies within one-time passwords, which a user can use in the event or to prevent an attacker who may have gained access to the users master password and hinder them from gaining further access into the users password vault. Researchers also found a cross-site request forgery (CSRF) flaw that attackers could have leveraged in the event of an attack, giving the attacker access to the targeted users encrypted password database.

“Regarding the OTP attack, it is a ‘targeted attack’, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data.”

“If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary,” the LastPass blog continues..

LastPass is no stranger to attackers given the data the service secures.